Add opendkim setup

roles/mailserver/defaults/main.yml

@@ -15,3 +15,5 @@ mailserver_vmail_user: vmail
 
 mailserver_tls_cert_file: "/var/lib/dehydrated/certs/{{ mailserver_mailname }}/fullchain.pem"
 mailserver_tls_key_file: "/var/lib/dehydrated/certs/{{ mailserver_mailname }}/privkey.pem"
+
+mailserver_dkim_selector: 2022

roles/mailserver/files/etc/rspamd/local.d/classifier-bayes.conf

@@ -1,5 +1,6 @@
 # Managed by Ansible.
 
+autolearn = true;
 backend = "redis";
 expire = 8640000;
 new_schema = true;

roles/mailserver/handlers/main.yml

@@ -1,13 +1,20 @@
 ---
+- block:
 
-- name: systemctl restart dovecot
-  systemd:
-    name: dovecot.service
-    state: restarted
-  become: true
+  - name: systemctl restart dovecot
+    systemd:
+      name: dovecot.service
+      state: restarted
 
-- name: systemctl restart postfix
-  systemd:
-    name: postfix.service
-    state: restarted
-  become: true
+  - name: systemctl restart postfix
+    systemd:
+      name: postfix.service
+      state: restarted
+
+  - name: systemctl restart opendkim
+    systemd:
+      name: opendkim.service
+      state: restarted
+
+  become: "{{ mailserver_become }}"
+  become_user: "{{ mailserver_become_user }}"

roles/mailserver/tasks/main.yml

@@ -2,6 +2,7 @@
 - block:
 
   - import_tasks: vmail.yml
+  - import_tasks: opendkim.yml
   - import_tasks: postfix.yml
   - import_tasks: dovecot.yml
   - import_tasks: rspamd.yml

roles/mailserver/tasks/opendkim.yml

@@ -0,0 +1,39 @@
+---
+
+- name: install opendkim
+  ansible.builtin.apt:
+    name:
+      - opendkim
+      - opendkim-tools
+    state: present
+    update_cache: true
+    cache_valid_time: 3600
+
+- name: check if the DKIM cert for specified selector exists
+  stat:
+    path: "/etc/dkimkeys/{{ mailserver_dkim_selector }}.private"
+  register: dkim_cert
+
+- name: generate key pair for domain and selector
+  shell: |
+    sudo -u opendkim opendkim-genkey -D /etc/dkimkeys -d {{ mailserver_mailname }} -s {{ mailserver_dkim_selector }}
+  when: not dkim_cert.stat.exists
+
+- name: configure DKIM
+  ansible.builtin.lineinfile:
+    path: /etc/opendkim.conf
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+  with_items:
+    - regexp: "^#?Domain"
+      line: "Domain {{ mailserver_mailname }}"
+    - regexp: "^#?Selector"
+      line: "Selector {{ mailserver_dkim_selector }}"
+    - regexp: "^#?KeyFile"
+      line: "KeyFile /etc/dkimkeys/{{ mailserver_dkim_selector }}.private"
+    - regexp: '^#?Socket(\s+)local:/run/opendkim/opendkim.sock'
+      line: "#Socket local:/run/opendkim/opendkim.sock"
+    - regexp: '^#?Socket(\s+)inet:8891@localhost'
+      line: "Socket inet:8891@localhost"
+  notify: systemctl restart opendkim

roles/mailserver/tasks/sqlite.yml

@@ -1,13 +1,13 @@
 ---
 
 - name: install sqlite3
-  apt:
+  ansible.builtin.apt:
     name: sqlite3
     update_cache: true
     cache_valid_time: 3600
 
 - name: import schema
-  shell: |
+  ansible.builtin.shell: |
     sqlite3 /etc/dovecot/authdb.sqlite << EOF
       CREATE TABLE IF NOT EXISTS alias (
           address VARCHAR(255) NOT NULL PRIMARY KEY,
@@ -42,7 +42,7 @@
     EOF
 
 - name: ensure /etc/dovecot/authdb.sqlite is owned by dovecot and postfix
-  file:
+  ansible.builtin.file:
     path: "{{ mailserver_auth_database }}"
     owner: dovecot
     group: postfix

roles/mailserver/templates/etc/postfix/main.cf.j2

@@ -99,3 +99,7 @@ local_recipient_maps = $virtual_mailbox_maps
 
 virtual_transport = dovecot
 dovecot_destination_recipient_limit = 1
+
+# OpenDKIM
+smtpd_milters = inet:localhost:8891
+non_smtpd_milters = $smtpd_milters